[PM-21926] Read salt from database

[ike-kottlowski]

🎟️ Tracking

PM-21926

📔 Objective

Add MasterPasswordSalt to the response for ReadKdfByEmail and OranizationAccountRevovery in the User Repository.

I've removed a Test pertaining to Emergency Access that tries to check the salt against the User.Email which may not be the case in the future. So, it has been removed.

Notes

The AC Repository updates for account recovery are handled in this PR which is in draft until this one is merged.

AC PR: #7231

[claude]

Claude finished @ike-kottlowski's task in 2m 12s —— View job

---

Code Review: PM-21926 Read salt from database

• Gather context and read changed files
• Perform code review
• Post review findings

---

Summary

This is a re-review after the latest sync. The PR adds MasterPasswordSalt to the UserKdfInformation model and updates both Dapper stored procedures and EF queries to return it. The previous review's findings still apply — no new issues were introduced in the latest changes.

Outstanding Items from Previous Reviews

The following items from prior reviews remain relevant:

1. mkincaid-bw's formatting requests — SQL formatting should be adjusted to match T-SQL guidelines in both the stored procedure and migration script.

2. mkincaid-bw's file name mismatch — OrganizationUser_ReadManyAccountRecoveryDetailsByOrganizationUserIds.sql file name doesn't match the stored procedure name OrganizationUser_ReadManyResetPasswordDetailsByOrganizationUserIds.

3. UserKdfInformationCompare equality comparer (from previous Claude review) — The EF integration test comparer at test/Infrastructure.EFIntegration.Test/Repositories/EqualityComparers/UserKdfInformation.cs only checks Kdf and KdfIterations, missing KdfMemory, KdfParallelism, and the new MasterPasswordSalt.

What Looks Good

• Backward compatibility: User.GetMasterPasswordSalt() correctly falls back to Email.ToLowerInvariant().Trim() when MasterPasswordSalt is null
• Migration scripts: Both use CREATE OR ALTER, which is idempotent and safe
• Test coverage: Good integration tests covering PBKDF2, Argon2id, null salt, and non-existent email cases
• Security: No sensitive data exposure concerns; salt values are expected to be readable
• CI: All checks passing — Checkmarx, SonarCloud, and Codecov all green

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 61.64%. Comparing base (11af4dc) to head (bc2aa7c).
⚠️ Report is 3 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #7230      +/-   ##
==========================================
+ Coverage   57.50%   61.64%   +4.13%     
==========================================
  Files        2032     2032              
  Lines       89544    89546       +2     
  Branches     7960     7961       +1     
==========================================
+ Hits        51496    55199    +3703     
+ Misses      36202    32419    -3783     
- Partials     1846     1928      +82     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

Checkmarx One – Scan Summary & Details – 4459829a-e060-44e1-9599-4fbaa95ee111

Great job! No new security vulnerabilities introduced in this pull request

[mkincaid-bw]

Minor changes requested.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
28.9% Duplication on New Code

See analysis details on SonarQube Cloud